Hello,

I want to forward port 81 to internal ip, here ir how I tried:
Whey I try to connect my.wan.ip:81 - connection timed out. Where is the problem? Do I need to add something else in NAT?

Thanks,
kristapsb

You also need source nat rule to masquerade your local network.

Hello,

Code: Select all

/ip firewall nat add chain=dstnat dst-address=my.wan.ip protocol=tcp dst-port=81 \
    action=dst-nat to-addresses=192.168.1.103 to-ports=0-65535

Whey I try to connect my.wan.ip:81 - connection timed out. Where is the problem? Do I need to add something else in NAT?

Yeah, you do. Forward the 81. from wan to 81. at internal IP, not 81. to all ports

You also need source nat rule to masquerade your local network.

I allready have masquerade for ether1 ( wan port ).
How can I do this for local network?

In the masquerade you should mention the internal subnet. It is all written in FM (fine manual), so please, feel free to RTFM!

Code: Select all

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

How can I do this for local network?

Just by putting that in. The firewall matches each packet, the more specific you get the less it will match, the more general you make it the more it will match. If you only wanted to masquerade for only one subnet you make a rule like this: You can also get more specific and add in an in-interface, or any other options you want. Just be careful to not get too specific otherwise you can wind up not masquerading traffic that you want. The same goes for every other firewall rule as well, you can also be too general and catch things you don't want.

Here is a print out of the nat rules I have in place:

0 chain=srcnat action=masquerade out-interface=ether1
src-address=192.168.2.0/24

1 chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=23
in-interface=ether1 dst-address=10.0.0.17 dst-port=5000 protocol=tcp

I'm attempting to translate the port externally from 5000 to port 23 internally.

It's not working. Any ideas folks?

AND YES I'VE RTFM just didn't have the right bit of how to from the manual sink in apparently.

HELP! this should be soooo simple.

Thanks...

On a side note... I have another router setup that is running 3.35 and those rules work as to where the ones not working are running 3.25.

Here are the rules from the one thats working.

0 chain=srcnat action=masquerade src-address=192.168.2.0/24
out-interface=ether1

1 chain=dstnat action=dst-nat to-addresses=192.168.2.154 to-ports=3389
protocol=tcp in-interface=ether1 dst-port=8889

I would just upgrade that router to the newer version but i'm really curious as to why it's not working. If this version of the OS needs different criteria or something. So before I upgrade I want to figure out if older version need different syntax. Any one else experienced this before?